[c-nsp] Cisco VPN Concentrator

Bob Fronk bfronk at davishelliot.com
Thu Nov 10 09:39:56 EST 2005


Cisco VPN 3000 Concentrator.  If you are familiar with this product, you
know that it has two interfaces, one private and one public.  I do not
wish to give this device a public internet address.  I want to place it
behind my PIX.

 

What I have done:

I have setup a static NAT from a public IP to a private IP

Allowed PPTP, ISAKMP, ESP and GRE traffic to that private address
through the PIX

Connected the private interface of the VPN concentrator (Public
Interface disabled)

Configured the VPN Concentrator to accept EZVPN and PPTP connections

 

PPTP works fine.  External clients can establish a VPN via PPTP and
access all network resources.

 

EZVPN however does not work.  Here is the message: 

68 11/10/2005 08:52:11.610 SEV=4 IKE/2 RPT=44 XXX.XXX.XXX.XXX 

Filter missing on interface 1, IKE data from Peer XXX.XXX.XXX.XXX
dropped

 

If I enable the "public" filter in the Private Interface, the error
becomes:

94 11/10/2005 08:56:22.380 SEV=4 IKE/0 RPT=1 XXX.XXX.XXX.XXX

Group [Groupname]

Received an unencrypted packet when crypto active!! Dropping packet.

 

Error on Client is: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Aggressive mode failed with

 peer at XXX.XXX.XXX.XXX

 

 

I have done some searching and cannot find any sample configs that use
only one Interface on the concentrator.  So I am beginning to wonder if
it is possible.  However, since the PPTP works, I have to believe that
the IPSec should work if I can figure out what I have done wrong.

 

I have attempted to give both Concentrator interfaces a private IP
address, but when I do, all traffic stops and I can't even access it to
configure it accept via console.  

 

Any input is appreciated.

 

 

 



More information about the cisco-nsp mailing list